__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN xorg-x11-server Security Update [Red Hat RHSA-2008:0031-8] January 22, 2008 20:00 GMT Number S-123 [REVISED 28 Jan 2008] [REVISED 31 Jan 2008] [REVISED 20 Mar 2008] ______________________________________________________________________________ PROBLEM: There are several security issues in xorg-x11-server: 1) two integer overflow flaws; 2) a memory corruption flaw; 3) an input validation flaw; 4) an information disclosure flaw; and 5) a flaw was found in the X.Org server's XC-SECURITY extension. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 3.1 (oldstable) XnView XnView Standard 1.92, 1.91 XnView NConvert 4.85 XnView GFL SDK 2.870 All released X.Org versions are vulnerable to these problems. Other implementations derived from the X11 sample implementation are likely to be affected too. DAMAGE: Could cause a denial of service or potentially execute arbitrary code with root privileges. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A malicious authorized client could exploit ASSESSMENT: this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-123.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0031.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2008-0064.html http://www.securityfocus.com/bid/27336/discuss http://www.securityfocus.com/bid/25898/discuss http://www.debian.org/security/2008/dsa-1466 http://www.securityfocus.com/bid/27514/discuss http://lists.freedesktop.org/archives/xorg/2008-January/031918.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 ______________________________________________________________________________ REVISION HISTORY: 01/28/2008 - revised S-123 to add a link to Debian Security Advisory DSA-1466-1 for Debian GNU/Linux 3.1 (oldstable). 01/31/2008 - revised S-123 to add a link to Security Focus 27514 for XnView XnView Standard 1.92, 1.91; XnView NConvert 4.85; XnView GFL SDK 2.870. 03/20/2008 - revised S-123 to add a link to X.Org Security Advisory 031918 for all released X.Org versions are vulnerable to these problems. Other implementations derived from the X11 sample implementation are likely to be affected too. [***** Start Red Hat RHSA-2008:0031-8 *****] Important: xorg-x11-server security update Advisory: RHSA-2008:0031-8 Type: Security Advisory Severity: Important Issued on: 2008-01-17 Last updated on: 2008-01-18 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20080031.xml CVEs (cve.mitre.org): CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 Details Updated xorg-x11-server packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 18th January 2008] The original packages distributed with this errata had a bug which could cause some X applications to fail on 32-bit platforms. We have updated the packages to correct this bug. X.Org is an open source implementation of the X Window System. It provides basic low-level functionality that full-fledged graphical user interfaces are designed upon. Two integer overflow flaws were found in the X.Org server's EVI and MIT-SHM modules. A malicious authorized client could exploit these issues to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6429) A memory corruption flaw was found in the X.Org server's XInput extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-6427) An input validation flaw was found in the X.Org server's XFree86-Misc extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.Org server. (CVE-2007-5760) An information disclosure flaw was found in the X.Org server's TOG-CUP extension. A malicious authorized client could exploit this issue to cause a denial of service (crash), or potentially view arbitrary memory content within the X server's address space. (CVE-2007-6428) A flaw was found in the X.Org server's XC-SECURITY extension, that could have allowed a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user. (CVE-2007-5958) Users of xorg-x11-server should upgrade to these updated packages, which contain backported patches to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.i386.rpm 8fe231dda8a689751e380e66df569139 x86_64: xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.x86_64.rpm ec728822a4832661e8532ef0d0cb7fe9 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: xorg-x11-server-1.1.1-48.26.el5_1.5.src.rpm 5448af77edce8cad6a4ead27d37fffd7 IA-32: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.i386.rpm 354182405a55fbb93f03480f009383d1 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.i386.rpm 2b4d5db953c4e5c2228a715cc64c1343 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.i386.rpm 94b09be233ba656285caaf129e7181b6 xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.i386.rpm e2cdf359944a1d4272447e5186427192 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.i386.rpm 86b0e0881e5fdafb677a0772a94e0be3 xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.i386.rpm 8fe231dda8a689751e380e66df569139 IA-64: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.ia64.rpm 83688a68f5f44762b97b2424c0bcc356 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.ia64.rpm c3ac38a8737586a01a7f0564beb3b94e xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.ia64.rpm 03996dfcf7c7efee6862778cf0d7b1df xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.ia64.rpm df14d9ef1f41f29b8072d181d965acf9 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.ia64.rpm 728577c5ca39a16974eb16c86abddb63 xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.ia64.rpm 71dab5d61d2d4033b3c8d6f5bdd58f33 PPC: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.ppc.rpm 96385820dc4b526968856a14b3a4b397 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.ppc.rpm 1eab991693eb235933bb364e0df7f221 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.ppc.rpm 6bf05261f176aad1eed0e3b1c8d7c168 xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.ppc.rpm f33f768237bfaef54af213679229f47d xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.ppc.rpm 2f195f91843efee2040e9099fc742de6 xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.ppc.rpm 2ad96e2c18d103017f285c23186824ce s390x: xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.s390x.rpm 11a387893c9bc51290f35c806922d325 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.s390x.rpm 75e6d9388f265b990044f5af285ebd99 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.s390x.rpm 56e90481cfeba8d5db0d5f1d9a520aaf x86_64: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.x86_64.rpm f1366dba2eeb55c9f327d562908d1b24 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.x86_64.rpm b18c388d80c7ab3fb120c6ab582b08a0 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.x86_64.rpm 767965859c627b4ca374be076c77ad31 xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.x86_64.rpm 7c554e8e1a0b3b2076be37d179124905 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.x86_64.rpm c87aa609b5335bc5ac4f517119bf1f75 xorg-x11-server-sdk-1.1.1-48.26.el5_1.5.x86_64.rpm ec728822a4832661e8532ef0d0cb7fe9 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: xorg-x11-server-1.1.1-48.26.el5_1.5.src.rpm 5448af77edce8cad6a4ead27d37fffd7 IA-32: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.i386.rpm 354182405a55fbb93f03480f009383d1 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.i386.rpm 2b4d5db953c4e5c2228a715cc64c1343 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.i386.rpm 94b09be233ba656285caaf129e7181b6 xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.i386.rpm e2cdf359944a1d4272447e5186427192 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.i386.rpm 86b0e0881e5fdafb677a0772a94e0be3 x86_64: xorg-x11-server-Xdmx-1.1.1-48.26.el5_1.5.x86_64.rpm f1366dba2eeb55c9f327d562908d1b24 xorg-x11-server-Xephyr-1.1.1-48.26.el5_1.5.x86_64.rpm b18c388d80c7ab3fb120c6ab582b08a0 xorg-x11-server-Xnest-1.1.1-48.26.el5_1.5.x86_64.rpm 767965859c627b4ca374be076c77ad31 xorg-x11-server-Xorg-1.1.1-48.26.el5_1.5.x86_64.rpm 7c554e8e1a0b3b2076be37d179124905 xorg-x11-server-Xvfb-1.1.1-48.26.el5_1.5.x86_64.rpm c87aa609b5335bc5ac4f517119bf1f75 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 391841 - CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability 413721 - CVE-2007-6429 xorg / xfree86: integer overflow in EVI extension 413741 - CVE-2007-6429 xorg / xfree86: integer overflow in MIT-SHM extension 413791 - CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension 413811 - CVE-2007-6427 xorg / xfree86: memory corruption via XInput extension 414031 - CVE-2007-5760 xorg: invalid array indexing in XFree86-Misc extension References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6428 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6429 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0031-8 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-113: Tog-Pegasus Security Update S-114: Dovecot Vulnerability S-115: AOL Radio AOLMediaPlaybackControl.exe Vulnerability S-116: HP-UX Running X Font Server (xfs) Software S-117: Oracle Critical Patch Update - January 2008 S-118: Apache httpd Vulnerabilities S-119: apt-listchanges Vulnerability S-120: Universal Plug and Play Vulnerability S-121: Linux Kernel VFS Vulnerability S-122: Cisco Unified Communications Manager CTL Provider Vulnerability